Generally, a two party key distribution protocol (2PKDP=2 Party Key Distribution Protocol) and a three party key distribution protocol (3PKDP=3 Party Key Distribution Protocol) are well known as a protocol for distributing session keys (cf. Japanese patent publication 3078841). In the 2PKDP, authentication is established between two nodes, that is, an initiator of communication and a responder of the communication. The 3PKDP is performed by the initiator of the communication, the responder of the communication, and an authentication server as an authenticator.
With regard to the 2PKDP, the node acting as the initiator which starts communication requests the node acting as the responder to provide a session key. In response, the node as the responder provides the session key to the node as the initiator. In this instance, the node as the initiator and the node as the responder share a common secret key preliminarily.
According to the technique of the 2PKDP disclosed in Japanese patent publication 3078841, when requesting provision of the session key, the node as the initiator creates a nonce and sends identification information (e.g., address) of the node as the initiator and the created nonce to the node as the responder. Upon receiving a request of providing the session key from the node as the initiator, the node as the responder creates the session key, and calculates a message authentication code value (MAC value) by use of the secret key from a message including the nonce, the session key, and identification information (e.g. address) of the node as the responder. Further, the node as the responder encrypts the session key and the MAC value, thereby creating an encryption message.
The node as the responder sends the encryption message together with the MAC value to the node as the initiator. The node as the initiator decrypts the encryption message with the secret key, thereby obtaining the session key. Besides, the MAC value is also sent to the node acting as the initiator. Therefore, the node acting as the initiator can check authenticity (i.e., the node acting as the initiator can check whether or not the encryption message is altered by an unauthorized person).
According to the 3PKDP, one of the node as the initiator and the node as the responder relays data from the other to the authentication server, thereby establishing communication between the node and the authentication server. Therefore, the both nodes can share the session key created by the authentication server. With regard to the 3PKDP, a push scenario and a pull scenario have been proposed. According to the push scenario, the node as the initiator directly communicates with the authentication server. According to the pull scenario, the node as the responder directly communicates with the authentication server.
In the push scenario, the node as the initiator communicates with the node as the responder and thereafter communicates with the authentication server, thereby receiving, from the authentication server, an encryption message for the node as the initiator and an encryption message for the node as the responder. Consequently, the node as the initiator obtains the session key from the encryption message for the node as the initiator. The node as the initiator delivers the encryption message for the node as the responder to the node as the responder. Thus, the node as the responder obtains the session key.
By contrast, in the pull scenario, the node as the initiator communicates with the node as the responder. In response, the node as the responder communicates with the authentication server, thereby receiving, from the authentication server, the encryption message for the node as the initiator and the encryption message for the node as the responder. Consequently, the node as the responder obtains the session key from the encryption message for the node as the responder, and delivers the encryption message for the node as the initiator to the node as the initiator. Thus, the node as the initiator obtains the session key.
Irrespective of protocols (push scenario and pull scenario) to be used, the MAC value is sent together with the encryption message including the session key in order to assure the authenticity (the encryption message is not altered). Besides, an encryption message for each node from the authentication server is encrypted or decrypted with a secret key which is shared by the authentication server and each node preliminarily.
Like the node as the responder of the 2PKDP, the authentication server of the 3PKDP calculates the MAC value by use of a secret key from a message including a nonce created by a corresponding node, a session key, and identification information of the corresponding node. The authentication server sends, to the corresponding node, an encryption message created by encrypting a combination of the session key and the MAC value.
FIG. 13 illustrates an instance for the push scenario in the 3PKDP. In the shown instance, a node A is defined as an initiator, and a node B is defined as a responder. In this instance, the node A preliminarily shares a secret key (common key) Kas with an authentication server S, and the node B preliminarily shares a secret key (common key) Kbs with the authentication server S.
First, the node A creates nonces Nas and Nab, and subsequently sends, to the node B, the created nonces Nas and Nab together with identification information IDa of the node A and identification information IDb of the node B (P1). Thereafter, the node B creates a nonce Nbs, and sends, to the authentication server S, the identification information IDb of the node B and the nonce Nbs in addition to the nonce Nas and the identification information IDa received from the node A (P2).
Upon receiving the nonces Nas and Nbs from the node B, the authentication server S creates a session key Ks. Further, the authentication server S calculates, by use of the secret key Kas shared with the node A, a message authentication code value (MAC value) MAC [Kas] (Nas, α, Ks, IDb) from a message containing the nonce Nas, the session key Ks, the identification information IDb of the node B, and predetermined additional information “α”. Further, the authentication server S uses the MAC value as a nonce Nsa, and encrypts a combination of the nonce Nsa and the session key Ks, thereby creating an encryption message ENC [Kas] (Nsa, Ks).
Moreover, the authentication server S calculates, by use of the secret key Kbs shared with the node B, a message authentication code value (MAC value) MAC [Kbs] (Nbs, β, Ks, IDa) from a message including the nonce Nbs, the session key Ks, the identification information IDa of the node A, and predetermined additional information “β”. Further, the authentication server S uses the MAC value as a nonce Nsb, and encrypts a combination of the nonce Nsb and the session key Ks, thereby creating an encryption message ENC [Kbs] (Nsb, Ks).
The aforementioned additional information “α” is defined as information to be sent to the node A, and the aforementioned additional information “β” is defined as information to be sent to the node B. For example, the additional information indicates an available period of the session key Ks.
The authentication server S sends the two encryption messages including the session key Ks respectively together with the MAC values and the additional information “α” and “β” to the node B (P3). Upon receiving the encryption message from the authentication server S, the node B decrypts the encryption message with the secret key Kbs, and then obtains the nonce Nsb and the session key Ks. The nonce Nsb is identical to the MAC value MAC [Kbs] (Nbs, β, Ks, IDa). Therefore, the node B calculates the MAC value by use of the nonce Nbs and the identification information “β” known to the node B together with the session key Ks and the additional information “β” obtained by the node B. The node B checks whether or not the calculated MAC value is identical to the received MAC value, in order to confirm the authenticity of the encryption message.
Thereafter, the node B transfers, to the node A, the encryption message ENC [Kas] (Nsa, Ks), the MAC value MAC [Kas] (Nas, α, Ks, IDb), and the additional information “α” for the node A which are received from the authentication server S. Further, in order to guarantee that the transfer is performed by the node B, the node B creates a new nonce Nba, and calculates the MAC value MAC [Ks] (Nab, Nba, IDb) based on the session key Ks, and sends, to the node A, the MAC value and the nonce Nba together with the encryption message ENC [Kas] (Nsa, Ks), the MAC value MAC [Kas] (Nas, α, Ks, IDb), and the additional information “α” (P4).
Upon receiving the encryption message ENC [Kas] (Nsa, Ks), the node A decrypts it with the secret key Kas, and then obtains the nonce Nsa and the session key Ks. Moreover, in a similar manner as the node B, the node A calculates the MAC value MAC [Kas] (Nas, α, Ks, IDb), and checks whether or not the calculated MAC value is identical to the received MAC value, in order to confirm the authenticity of the encryption message.
Thereafter, the node A calculates the MAC value MAC [Kas] (Nas, Ks) by use of the secret key Kas, and the MAC value MAC [Ks] (Nab, Nba) by use of the session key Ks, and sends the calculated MAC values to the node B (P5). The node B calculates the MAC value MAC [Ks] (Nab, Nba), and checks whether or not the received MAC values are sent from the node A, on the basis of the calculated MAC value (P5).
Further, the node B calculates the MAC value MAC [Kbs] (Nbs, Ks) by use of the secret key Kbs. The node B sends the calculated MAC value together with the MAC value MAC [Kas] (Nas, Ks) received from the node A to the authentication server S (P6). The authentication server S can check whether or not the received MAC values are sent from the node B, on the basis of these MAC values.
Accordingly, as apparent from the technique of key distribution disclosed in Japanese patent publication 3078841, the node or the authentication server creates the session key, and then, in order to distribute the session key, calculates the MAC value involving the nonce, and encrypts the session key and the MAC value to obtain the encryption message, and sends the obtained encryption message together with the MAC value.
In brief, in line with the teaching of the technique of key distribution disclosed in Japanese patent publication 3078841, the encryption message contains the session key and the MAC value involving the nonce. In the event of sending the additional information unknown to the node receiving the session key, the additional information is sent together with the encryption message and the MAC value without being encrypted.
Therefore, an unauthorized person can sniff the additional information. Especially, in the 3PKDP, either the authentication server or one node relaying the communication obtains the additional information for the other node. Thus, there is a problem that the additional information is not sent in a confidential fashion.